You need to sign in to do that
Don't have an account?
Fernando Morales Ortiz
Built-in XSS Protection unit challenge keeps failing when trying to Check
Hi,
I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS.
Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers:
But everytime y check the challenge, the same message is displayed:
I already checked that I am pointing to the right playground.
If you can check it and help find where I am going wrong I would be thankful.
Thanks
I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS.
Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers:
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab"> <apex:sectionHeader title="Built-In XSS Protections Challenge" /> <apex:form > <apex:pageBlock > <c:Classic_Error /> <apex:pageMessages /> <apex:pageBlockSection title="Demo" columns="1" id="tableBlock"> <apex:outputText value="{!sampleMergeField1}"/> <!-- sampleMergeField1 is vulnerable to XSS: NO --> <apex:outputText value="{!sampleMergeField2}" escape="false"/> <!-- sampleMergeField2 is vulnerable to XSS: YES --> <apex:outputText > {!sampleMergeField3} </apex:outputText> <!-- sampleMergeField3 is vulnerable to XSS: NO --> <style> .foo { color: #{!sampleMergeField4}; } </style> <!-- sampleMergeField4 is vulnerable to XSS: YES --> {!sampleMergeField5} <!-- sampleMergeField5 is vulnerable to XSS: NO --> <script> var x = '{!sampleMergeField6}'; </script> <!-- sampleMergeField6 is vulnerable to XSS: YES --> <apex:outputLabel value="{!sampleMergeField7}" escape="false"/> <!-- sampleMergeField7 is vulnerable to XSS: YES --> </apex:pageBlockSection> <apex:pageBlockSection title="Code links" columns="1"> <apex:outputPanel > <ul> <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li> <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li> </ul> </apex:outputPanel> </apex:pageBlockSection> </apex:pageBlock> </apex:form>
But everytime y check the challenge, the same message is displayed:
I already checked that I am pointing to the right playground.
If you can check it and help find where I am going wrong I would be thankful.
Thanks
It is necessary to change the comments to match the mentioned ones in the Challenge section, and also you must add a new line after the first use of {!sampleMergeField1} to match it to the line 10 (as the Challenge details suggest).
This code passed the challenge:
Thanks.
All Answers
It is necessary to change the comments to match the mentioned ones in the Challenge section, and also you must add a new line after the first use of {!sampleMergeField1} to match it to the line 10 (as the Challenge details suggest).
This code passed the challenge:
Thanks.
Thanks for the input. But this is ridiculous from Salesforce trailhead.
They gave a wrong lines for the VF page and also the instruction was not clear that the Line nos should match ..
Did you just figure out an extra line is needed because the first comment was on Line 9 but the instruction was given Line 10
Thanks
{!sampleMergeField5}
<!-- sampleMergeField5 is vulnerable to XSS: YES -->
I would have thought the answer would be NO, since the platform seems to escape any data that is rendereed in a page.
Farnando's code is not working for current challenge-
This is not a different question from what gave the above "success," but it definitely requires a different set of answers.
According to the notes in the Trailhead, it should be safe.